18285 - Warning "aFrame is already associated with a region" (was crash on infoworld)

Status: VERIFIED FIXED

(Core :: CSS Parsing and Computation, defect, P4)

Description

[Mo DeJong]

I was surfing on http://www.infoworld.com and it seemed to get stuck so
I pressed the stop button. After doing that I got this SIGSEV. I was
using a CVS build from Nov 6th on a RedHat 5.2 Linux system.

Here is the code inside layout/html/style/src/nsCSSFrameConstructor.cpp line
6548.


6543        // Get view if this frame has one and trigger an update. If the
6544        // frame doesn't have a view, find the nearest containing view
6545        // (adjusting r's coordinate system to reflect the nesting) and
6546        // update there.
6547        nsIView* view = nsnull;
6548        aFrame->GetView(&aPresContext, &view);
6549        nsIView* parentView;
6550        if (! view) { // XXX can view have children outside it?
6551          aFrame->GetOffsetFromView(&aPresContext, viewOffset, &parentView);
6552          NS_ASSERTION(nsnull != parentView, "no view");


It looks like the aFrame pointer is OK but that something does wrong inside the
GetView call.


(gdb) print aFrame
$1 = (nsIFrame *) 0x873f2b0

(gdb) call aFrame->GetView(&aPresContext, &view)
Cannot access memory at address 0x2e74643d.




Here is the stack trace I got.


#0  0x40ea66a9 in ApplyRenderingChangeToTree (aPresContext=@0x846d638,
aFrame=0x873f2b0,
    aViewManager=0x0) at
../../../../../layout/html/style/src/nsCSSFrameConstructor.cpp:6548
#1  0x40ea6df7 in nsCSSFrameConstructor::ProcessRestyledFrames (this=0x8584ae0,
    aChangeList=@0xbfffe864, aPresContext=0x846d638)
    at ../../../../../layout/html/style/src/nsCSSFrameConstructor.cpp:6707
#2  0x40ea74c9 in nsCSSFrameConstructor::ContentStatesChanged (this=0x8584ae0,
    aPresContext=0x846d638, aContent1=0x8543854, aContent2=0x8866784)
    at ../../../../../layout/html/style/src/nsCSSFrameConstructor.cpp:6826
#3  0x40f969ed in StyleSetImpl::ContentStatesChanged (this=0x8584a90,
aPresContext=0x846d638,
    aContent1=0x8543854, aContent2=0x8866784) at
../../../../layout/base/src/nsStyleSet.cpp:983
#4  0x40d8a177 in PresShell::ContentStatesChanged (this=0x86fe3a8,
aDocument=0x8754d00,
    aContent1=0x8543854, aContent2=0x8866784)
    at ../../../../../layout/html/base/src/nsPresShell.cpp:1849
#5  0x40f598ef in nsDocument::ContentStatesChanged (this=0x8754d00,
aContent1=0x8543854,
    aContent2=0x8866784) at ../../../../layout/base/src/nsDocument.cpp:1491
#6  0x40d41fb6 in nsEventStateManager::SetContentState (this=0x8780b78,
aContent=0x8543854,
    aState=3) at ../../../../layout/events/src/nsEventStateManager.cpp:1515
#7  0x40dabd33 in nsHTMLAnchorElement::HandleDOMEvent (this=0x8543848,
aPresContext=@0x846d638,
    aEvent=0xbffff188, aDOMEvent=0xbfffed94, aFlags=4, aEventStatus=@0xbffff084)
    at ../../../../../layout/html/content/src/nsHTMLAnchorElement.cpp:356
#8  0x40f6d350 in nsGenericElement::HandleDOMEvent (this=0x8359694,
aPresContext=@0x846d638,
    aEvent=0xbffff188, aDOMEvent=0xbfffed94, aFlags=4, aEventStatus=@0xbffff084)
    at ../../../../layout/base/src/nsGenericElement.cpp:777
#9  0x40e160ed in nsHTMLTableElement::HandleDOMEvent (this=0x8359680,
aPresContext=@0x846d638,
    aEvent=0xbffff188, aDOMEvent=0xbfffed94, aFlags=4, aEventStatus=@0xbffff084)
    at ../../../../../layout/html/content/src/nsHTMLTableElement.cpp:1302
#10 0x40f6d350 in nsGenericElement::HandleDOMEvent (this=0x879852c,
aPresContext=@0x846d638,
    aEvent=0xbffff188, aDOMEvent=0xbfffed94, aFlags=4, aEventStatus=@0xbffff084)
    at ../../../../layout/base/src/nsGenericElement.cpp:777
#11 0x40e24d45 in nsHTMLTableSectionElement::HandleDOMEvent (this=0x8798518,
    aPresContext=@0x846d638, aEvent=0xbffff188, aDOMEvent=0xbfffed94, aFlags=4,
    aEventStatus=@0xbffff084)
    at ../../../../../layout/html/content/src/nsHTMLTableSectionElement.cpp:373
#12 0x40f6d350 in nsGenericElement::HandleDOMEvent (this=0x8725edc,
aPresContext=@0x846d638,
    aEvent=0xbffff188, aDOMEvent=0xbfffed94, aFlags=4, aEventStatus=@0xbffff084)
    at ../../../../layout/base/src/nsGenericElement.cpp:777
#13 0x40e228e9 in nsHTMLTableRowElement::HandleDOMEvent (this=0x8725ec8,
aPresContext=@0x846d638,
    aEvent=0xbffff188, aDOMEvent=0xbfffed94, aFlags=4, aEventStatus=@0xbffff084)
    at ../../../../../layout/html/content/src/nsHTMLTableRowElement.cpp:738
#14 0x40f6d350 in nsGenericElement::HandleDOMEvent (this=0x87d8bb0,
aPresContext=@0x846d638,
    aEvent=0xbffff188, aDOMEvent=0xbfffed94, aFlags=1, aEventStatus=@0xbffff084)
    at ../../../../layout/base/src/nsGenericElement.cpp:777
#15 0x40e1b01d in nsHTMLTableCellElement::HandleDOMEvent (this=0x87d8b98,
aPresContext=@0x846d638,
    aEvent=0xbffff188, aDOMEvent=0x0, aFlags=1, aEventStatus=@0xbffff084)
    at ../../../../../layout/html/content/src/nsHTMLTableCellElement.cpp:558
#16 0x40d8b2f8 in PresShell::HandleEvent (this=0x86fe3a8, aView=0x87f8358,
aEvent=0xbffff188,
    aEventStatus=@0xbffff084) at
../../../../../layout/html/base/src/nsPresShell.cpp:2239
#17 0x411cb7d7 in nsView::HandleEvent (this=0x87f8358, event=0xbffff188,
aEventFlags=8,
    aStatus=@0xbffff084, aHandled=@0xbffff028) at
../../../view/src/nsView.cpp:837
#18 0x411cb769 in nsView::HandleEvent (this=0x887c560, event=0xbffff188,
aEventFlags=8,
    aStatus=@0xbffff084, aHandled=@0xbffff028) at
../../../view/src/nsView.cpp:821
#19 0x411cb769 in nsView::HandleEvent (this=0x887c4a8, event=0xbffff188,
aEventFlags=8,
    aStatus=@0xbffff084, aHandled=@0xbffff028) at
../../../view/src/nsView.cpp:821
#20 0x411cb769 in nsView::HandleEvent (this=0x85d18c0, event=0xbffff188,
aEventFlags=28,
    aStatus=@0xbffff084, aHandled=@0xbffff028) at
../../../view/src/nsView.cpp:821
#21 0x411d72e3 in nsViewManager::DispatchEvent (this=0x87de4a8,
aEvent=0xbffff188,
    aStatus=@0xbffff084) at ../../../view/src/nsViewManager.cpp:1741
#22 0x411c98f8 in HandleEvent (aEvent=0xbffff188) at
../../../view/src/nsView.cpp:66
#23 0x404b35f0 in nsWidget::DispatchEvent (this=0x8587658, aEvent=0xbffff188,
aStatus=@0xbffff11c)
    at ../../../../widget/src/gtk/nsWidget.cpp:1279
#24 0x404b3388 in nsWidget::DispatchWindowEvent (this=0x8587658,
event=0xbffff188)
    at ../../../../widget/src/gtk/nsWidget.cpp:1190
#25 0x404b36a4 in nsWidget::DispatchMouseEvent (this=0x8587658,
aEvent=@0xbffff188)
    at ../../../../widget/src/gtk/nsWidget.cpp:1306
#26 0x404b4684 in nsWidget::OnButtonPressSignal (this=0x8587658,
aGdkButtonEvent=0x8215b28)
    at ../../../../widget/src/gtk/nsWidget.cpp:1868
#27 0x404b53b2 in nsWidget::ButtonPressSignal (aWidget=0x85f6750,
aGdkButtonEvent=0x8215b28,
    aData=0x8587658) at ../../../../widget/src/gtk/nsWidget.cpp:2334
#28 0x405c8a99 in gtk_marshal_BOOL__POINTER (object=0x85f6750,
    func=0x404b52d4 <nsWidget::ButtonPressSignal(_GtkWidget *, _GdkEventButton
*, void *)>,
    func_data=0x8587658, args=0xbffff2a0) at gtkmarshal.c:30
#29 0x4058dc52 in gtk_handlers_run (handlers=0x8534458, signal=0xbffff25c,
object=0x85f6750,
    params=0xbffff2a0, after=0) at gtksignal.c:1909
#30 0x4058d158 in gtk_signal_real_emit (object=0x85f6750, signal_id=20,
params=0xbffff2a0)
    at gtksignal.c:1469
#31 0x4058b468 in gtk_signal_emit (object=0x85f6750, signal_id=20) at
gtksignal.c:552
#32 0x405c0110 in gtk_widget_event (widget=0x85f6750, event=0x8215b28) at
gtkwidget.c:2790
#33 0x4056013d in gtk_propagate_event (widget=0x85f6750, event=0x8215b28) at
gtkmain.c:1296
#34 0x4055f472 in gtk_main_do_event (event=0x8215b28) at gtkmain.c:753
#35 0x40604ed6 in gdk_event_dispatch (source_data=0x0, current_time=0xbffff620,
user_data=0x0)
    at gdkevents.c:2098
#36 0x4062dc8f in g_main_dispatch (current_time=0xbffff620) at gmain.c:652
#37 0x4062e277 in g_main_iterate (block=1, dispatch=1) at gmain.c:870
#38 0x4062e3f9 in g_main_run (loop=0x81c42b8) at gmain.c:928
#39 0x4055eedf in gtk_main () at gtkmain.c:475
#40 0x4049d80f in nsAppShell::Run (this=0x80a1f48) at
../../../../widget/src/gtk/nsAppShell.cpp:399
#41 0x4032a031 in nsAppShellService::Run (this=0x809fda0)
    at ../../../../xpfe/appshell/src/nsAppShellService.cpp:483
#42 0x804c85c in main1 (argc=1, argv=0xbffff834) at
../../../xpfe/bootstrap/nsAppRunner.cpp:580
#43 0x804cae9 in main (argc=1, argv=0xbffff834) at
../../../xpfe/bootstrap/nsAppRunner.cpp:670

Comment 1

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Using Linux apprunner 1999-11-08-08-M11, I crashed on http://www.infoworld.com/
two out of two tries with the following sequence of events (and then my X server
crashed right before I got to commenting on this bug):

TO REPRODUCE:
1 Load http://www.infoworld.com/
2 hit Stop before page is fully loaded
3 scroll down a bit
4 click on a link.  You may have to click a few times before it does anything.

RESULTS:
* after 3) scrolling down causes all the colors to disappear, and the page shows
   with its default styles
* after 4) crash

I didn't get a stack trace, but, based on the previous one here, changing to
style system.

Comment 2

[larry]

Crashed for me too.  1999111017 on redhat 6.0, xfree 3.3.5, kde 1.2.

Comment 3

[Pierre Saslawsky]

Same crash on Mac. Apparently the frame passed to ApplyRenderingChangeToTree() is
invalid: it has been disposed somewhere else but it continues to be used by
nsStyleChangeList.

Comment 4

[Pierre Saslawsky]

Bug 18167 will be closed as dup of this one. It describes a very easily
reproduceable test case: go to http://www.maths.newcastle.edu.au and select some
text.

Comment 5

[Pierre Saslawsky]

*** Bug 18167 has been marked as a duplicate of this bug. ***

Comment 6

[Pierre Saslawsky]

It looks like this bug is in fact as easy to reproduce as 18167: a single click
on infoworld causes a crash.

Comment 7

[leger]

Updating QA contact.

Comment 8

[Michael Lowe]

On the http://www.maths.newcastle.edu.au page, it seems that an unclosed <a
name="Top"> tag is responsible for the crash.   Removing this tag from the page
prevents the crash.

Comment 9

[Pierre Saslawsky]

The crash has been fixed in nsFrameManager.cpp but since the debug builds show
errors during the style context verifications in nsFrameManager:
VerifyContextParent(), I'm not marking the bug fixed yet.

Comment 10

[Pierre Saslawsky]

I had to back out my change that was causing bug 20042. The status of this bug is
now:
- It no longer crashes on InfoWorld because they changed their presentation. It
no longer shows the debug output from VerifyContextParent() either.
- It still crashes on http://www.maths.newcastle.edu.au and as Michael pointed
out, it is related to the unclosed <a name="Top"> tag.
- A copy of the former InforWorld page will be attached to this bug report if
needed.

Comment 11

[Pierre Saslawsky]

Attachment: The old InfoWorld page

Comment 12

[Pierre Saslawsky]

The old InfoWorld page doesn't crash anymore. We just have the following debug
messages:
--
WARNING: aFrame is already associated with a region, file nsSpaceManager.cpp,
line 718
###!!! ASSERTION: bad floater placement: 'NS_SUCCEEDED(rv)', file
nsBlockFrame.cpp, line 5444
--
Reset the target milestone.
Updated the summary.
Reassigned to Troy to have a look.

Comment 13

[troy]

Block issue

Comment 14

[buster]

changing severity to "normal" and priority to "P3" since it no longer crashes.
It's not even clear if there is a bug here at all.  The page layout looks
correct.  I'll have to look into the space manager to see what the debug output
means.

Comment 15

[leger]

Adding "crash" keyword to all known open crasher bugs.

Comment 16

[buster]

mine! mine mine mine!  all mine!  whoo-hoo!

Comment 17

[buster]

removed crash keyword, the crash was fixed long ago.  I have a fix in hand for
the assert.

Comment 18

[buster]

fix checked in.  should be able to verify against 4/17/00 build.

Comment 19

[leger]

Adding crash keyword

Comment 20

[Christine Hoffman]

Tested using the following builds:
Win: 7_18_11
Mac: 7_19_12
Linux: 7_20_09

No crashes. Verifying bug fixed.